Re: Fingerprinting guidance update; responding to feedback, Note publication?

Worth, in that case, talking to some geolocation folks, as they have lots of experience of adjusting the precision of the data accessible via an API...

R

Robin Wilton

Technical Outreach Director - Identity and Privacy

On 28 Aug 2015, at 20:16, "Joseph Lorenzo Hall" <joe@cdt.org> wrote:

> That's a good point, we should check to see if there is a warning
> about overly-precise API elements and add that if not. Nick, holler if
> you want text! best, Joe
> 
> On Thu, Aug 27, 2015 at 11:24 PM, David Singer <singer@apple.com> wrote:
>> Does this draft need to mention avoidance of enabling fingerprinting by excessive precision of an otherwise ‘innocuous’ API?  (E.g. I can differentiate batteries, and hence distinct visitors, by looking at precise measurements of batteries).
>> 
>> 
>>> On Aug 27, 2015, at 22:54 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
>>> 
>>> It would be great to start the process to publish this as a draft PING note! The new changes look awesome, Nick.
>>> 
>>> There are still some outstanding things in the document; those are ok for a draft note or do we need to try to close them out before we publish?
>>> 
>>> The note in 1.2.1 seems to be dealt with by adding a blurb about how this is not distinct from unexpected correlation (although why 1.2.2 is not enough, I don't know) and clarifying that this practice can result in collapsing pseudonymous identities into linked personas or something like that.
>>> 
>>> We should definitely reach out to the HTML WG to ask if the fingerprint warning indicia has been useful or helpful.
>>> 
>>> I don't think I understand ISSUE 1... can we say anything about best practices across UA implementations that might require cooperation outside of the spec?
>>> 
>>> 
>>> 
>>> On Sun, Aug 23, 2015 at 9:58 PM, Nick Doty <npdoty@w3.org> wrote:
>>> I've revised the Fingerprinting Guidance for Web Specification Authors text, responding as best I can to comments from the TAG, the Tor Browser folks and other comments via mailing list.
>>> 
>>> http://w3c.github.io/fingerprinting-guidance/
>>> 
>>> Changes in particular include:
>>> * moving feasibility question up earlier, emphasizing realism/pessimism
>>> * clarifying some of the best practices, regarding unnecessary additions to fingerprinting surface
>>> * additional examples and references (in particular, to the TAG finding on unsanctioned tracking)
>>> * filling in to-do sections (and marking remaining ones with issue boxes)
>>> 
>>> To clarify the status of this document and to gather wider review, I think it would be useful to publish this as a draft Interest Group Note. As a Process matter, that would consist of: the Interest Group deciding we want to publish it as an Interest Group Note; getting confirmation from the domain lead that we can use this name/shortname; publishing a snapshot on w3.org indicating its status as a draft Note; asking chairs and other groups for feedback.
>>> 
>>> And in any case, I'd welcome further feedback, additions, subtractions and the like. I get the impression that specific examples from different specs/Working Groups would be the most welcome addition.
>>> 
>>> Thanks,
>>> Nick
>>> 
>>> 
>>> 
>>> --
>>> Joseph Lorenzo Hall
>>> Chief Technologist
>>> Center for Democracy & Technology
>>> 1634 I ST NW STE 1100
>>> Washington DC 20006-4011
>>> (p) 202-407-8825
>>> (f) 202-637-0968
>>> joe@cdt.org
>>> PGP: https://josephhall.org/gpg-key
>>> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>> 
>>> 
>> 
>> David Singer
>> Manager, Software Standards, Apple Inc.
>> 
> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>

Received on Saturday, 29 August 2015 14:56:22 UTC